Comments
Large Electric Utilities Earn High Security Scores
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/3/2014 | 10:56:27 PM
Re: The comments and conclusions do not apply to control systems.
The mission of an electric utility is to generate, transmit, and/or distribute electricity. The means of doing that is with control systems.  Business IT systems are necessary for front-office business operations but not for the core mission of the utility. Unless you don't care if the lights are on, how can you make any conclusions on the security of an electric utility when you are not even looking at the control systems?  Moreover, since control systems are often networked systems, excluding them means the scope of the project was incomplete.

Joe Weiss
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/3/2014 | 3:54:01 PM
Re: The comments and conclusions do not apply to control systems.
If I'm following you, Joe, BitSight's report and analysis doesn't dispute that control systems themselves are notoriously security-deficient. This report was based on data gathered from malware attacks on networked systems of the large electric utilities. 
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/2/2014 | 8:04:58 PM
The comments and conclusions do not apply to control systems.
What makes a utility different than a commercial business are the industrial control systems that monitor and control the generation, transmission, or distribution of electricity (or water or natural gas). However, this article was written from an IT focus with little knowledge of control systems. Consequently, the statements and conclusions about security and resources may be relevant to the business IT systems in a utility but they are NOT relevant to the control systems. The comments on control systems seem to focus on patching as if that is the only or biggest problem - it is not. I encourage the readers to learn more about control system cyber security. I have written a book on the subject – Protecting Industrial Control Systems from Electronic Threats or you can view my lecture to a Masters class at Stanford - https://www.youtube.com/watch?v=S3Yyv53dZ5A

Joe Weiss
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/2/2014 | 9:32:50 AM
Re: Disruption Cause for Low and High Security
@RyanSepe  "What good is data security if your own trusted entities can't access it. This is why security is strongest and most efficient when ingrained at the start of product development."  Couldn't agree more!


The trouble, of course, is that utilities -- for good reason -- aren't keen on updating their software, so even if we start building software that's got security beautifully baked in, they're unlikely to start using it.


 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 5:15:38 PM
Re: Disruption Cause for Low and High Security
The first three bullets seem to advocate not patching while the others provide data as to why patching should occur.

But this is why risk analysis is so important. There is no absolute answer but what makes the most sense to you. Is the risk of patching acceptable versus the consequence of not patching?/Is the risk of patching acceptable versus the possiblitly of system shutdown during patch? I would say whichever merits the highest risk in the scenario above, this does not site other factors that should be taken into account, should be the option not taken. Thoughts?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 1:54:26 PM
Re: Disruption Cause for Low and High Security
Thanks for the info @ christianabryant. But honestly, the data you cite doesn't inspire a lot of confidence...
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/30/2014 | 1:26:03 PM
Re: Disruption Cause for Low and High Security
I felt the same way as @RyanSepe but after researching and reading a couple excellent articles on the topic [1][2].

Some takeaways (assuming patches can be installed without shutting down the process) include:


  • "In a landmark study of the patches for post-release bugs in OS software, Yin et al showed that between 14.8% and 24.4% of all fixes are incorrect and directly impact the end user. And if that's not bad enough, 43% of these faulty 'fixes' resulted in crashes, hangs, data corruption or additional security problems."
  • "...patches don't always solve the security issues they were designed to address. According to Kevin Hemsley, a member of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products."
  • "Most patches require the shutdown and restart of the manufacturing process. Some can also break or remove functionality previously relied on by the control system. For example, one of the vulnerabilities the Stuxnet worm exploited was a hardcoded password in Siemens' WinCC SQL database."
  • The patching process often requires staff with special skills to be available; resources aren't always on-hand or budget doesn't allow for them.
  • "At the SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride noted that less than half of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time."

[1] https://www.tofinosecurity.com/blog/scada-security-welcome-patching-treadmill

[2] http://www.tofinosecurity.com/blog/patching-scada-and-ics-security-good-bad-and-ugly
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:19:35 PM
Re: Disruption Cause for Low and High Security
Agreed, @RyanSepe. The problem with many of these older ICS/SCADA systems is that they are old and predate the security threats we face today. Many were built for the pre-Internet days, so it's a legacy problem, too. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 11:23:46 AM
Re: Disruption Cause for Low and High Security
I agree. I think we need to remember as InfoSec Professionals that there is a functionality principle that needs to be adhered to. What good is data security if your own trusted entities can't access it.

This is why security is strongest and most efficient when ingrained at the start of product development. And hopefully with the many regulations in place for different types of institutions vendors will take that into consideration.
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 10:57:46 AM
Re: Disruption Cause for Low and High Security
I agree. Compensating measures have to be taken to keep those older systems safe. That's why strong perimeter security is important. Honestly, I just think there isn't much more that  can be done to secure some of these systems other than reduce their connectivity to the Internet as much as possible, but that can hurt business productivity.  Happy to see the utilities scoring so high on this.

BP
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

CVE-2014-2966
Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.